Gaobot.LTL

It connects to IRC servers in order to receive remote control commands and prevents users from accessing websites belonging to several computer security companies. It exploits the vulnerabilities LSASS and RPC DCOM, among others, in order to spread to as many computers as possible, among other means of transmission.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:

Jan. 3, 2006

Detection updated on:

Jan. 5, 2006

Statistics

No

Proactive protection:

Yes, using TruPrevent Technologies

Brief Description

Gaobot.LTL is a worm that connects to several IRC servers in order to receive remote control commands, acting as a backdoor. It can be instructed to obtain computer passwords, launch DoS (Denial of Service) attacks, scan IP addresses, etc.

This worm also prevents the user from accessing websites belonging to computer security companies. This way, among other consequences, the antivirus programs belonging to such companies could not be updated, which would leave the affected computer vulnerable to the attack of other malware.

Gaobot.LTL uses several different means to spread:

Across the Internet by exploiting the vulnerabilities LSASS, RPC DCOM, WebDAV and UPnP.

Across networks.

Through several peer-to-peer (P2P) file sharing programs.

Via AOL Instant Messenger (AIM) and IRC.

Via email.

It is highly recommendable to download the security patches for the vulnerabilities LSASS, RPC DCOM, WebDAV and UPnP from the Microsoft website.

Visible Symptoms

Gaobot.LTL is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.